We want to inform you about the release of a new Heimdal™ Production Dashboard version, 2.5.402, that is now live. The Heimdal™ Windows and Linux Prod. Agents will be available, for download, in the dashboard ( “Guide” section, “Download and install” tab), starting Monday, March 21st, 2022, and, the Windows one, will be deployed, on a roll-out basis, over the coming weeks.
Here are the main features and improvements rolling in with the new 2.5.402 Prod.:
Flagship Feature
Heimdal™ Patch & Asset Management, Linux OS 3ʳᵈ Party Patch Management & Operating System Updates:
This brand new submodule, which is a valuable addition to your cyber security lineup, enabling you to conduct 3rd party and Operation System updates for Linux Ubuntu (to start with) environments, is part of the Patch & Asset Management module. To do so, you will need to download the brand new Heimdal™ Ubuntu 1.0 version of the Linux agent found in the dashboard (“Guide” section, “Download and install” tab). The licensing and pricing models are the same as for the Windows Operating System: 3rd party patch management and Operating System Updates are part of the standard Patch & Asset Management license, while Infinity Management comes with a separate license.
For a detailed, technical description of the submodule, please refer to the Release Notes sent on February 24th, 2022, and in case you missed those, do reach out to our Support department or your account manager and they will happily provide the necessary documentation.
Heimdal™ Dashboard:
- Enhanced Endpoint Settings management – Access Control for specific and full Group Policy access
In the Accounts -> Access Control tab of the Heimdal Dashboard three new Claim categories have been added: “Manage Windows Endpoint Settings area”, “Manage macOS Endpoint Settings area” and “Manage Android Endpoint Settings area”. To each of the earlier mentioned claim categories two claim types have been added:
- “Full access device settings” – allowing the owner of the claim to perform changes on all the Group Policies
- “Specific access device settings” – allowing the owner of the claim to perform changes only on specific Group Policies
A user can’t have both permissions at the same time. The “Specific access device settings” claim does not allow performing operations such as: creating, duplicating, deleting, or changing Group Policy priorities.
Heimdal™ Threat Prevention Network:
- “Prevented Attacks” & “Hostname” clickable in DarkLayer Guard™ Network
As a further improvement to the addition of the “Prevented Attacks” column in Threat Prevention Network -> DarkLayer Guard™ Network -> Standard view, we are now allowing the dashboard user to click the “Hostname”, “Approved Requests” and “Prevented Attacks” fields, thus providing more granular forensic info.
Clicking on the “Hostname” will lead the user to the Client Specifics view (providing a grid-like visual overview of queries intercepted by the TPN LogAgent and servers, for a specific endpoint). The user will be able to see the raw data only if the machine is found under Active Clients.
In the “Domain” column, the user has the option to click on the “I”/ Information icon which will redirect the user to the Investigate View, providing multiple data points related to that domain; there is also a VirusTotal icon, which, if clicked on, takes the user to the Virus Total domain info page.
When clicking on the “Approved Requests”, respectively “Prevented Attacks” number, the dashboard user is taken to a “DNS queries” view, showcasing the accepted or blocked DNS requests (filter preset on “DNS Query Passed”, respectively on “DNS Query Blocked”).
- Threat Prevention Network Block by Category
This functionality allows the dashboard user to block groups of domains related to specific categories (illegal content, gambling, sexuality, etc.). The functionality can be enabled/ disabled from the Network Settings -> Threat Prevention tab and, if enabled, a drop-down list containing preset “to be blocked” categories will be available (single and multiple selections are offered).
- Threat Prevention Network Custom block page
This functionality (check box), found in Network Settings -> Threat Prevention, provides the dashboard user the option to import a .html file with their Custom Block page layout, instead of using the Heimdal standard Block Page. The custom or standard block pages are displayed whenever blocked, category blocked or blacklisted domains try to be accessed. Please be aware that, when importing a custom block page, the change may take up to 30 minutes to take effect.
- Threat Prevention Network LogAgent Settings
In the Network Settings -> Threat Prevention GP area, we created a dedicated “LogAgent Settings” area, containing new settings related to our TPN LogAgent app. These new settings are:
- “Log unknown hostnames” – when enabled, this setting will display, in the Standard and Latest Threats dashboard views, both unknown hostname entries as well as known hostname entries
- “Log local domains” - enabling this option, makes the LogAgent app. record entries related to local domains too
We also added a “Policy Check Interval” slider which sets the frequency (minutes) that TPN LogAgent uses to update its local settings.
Heimdal™ Threat Prevention Endpoint:
- DarkLayer Guard™ Endpoint and Network forensic enhancements
The carried-out enhancements consist of the addition of the “Investigate view” (new tab) in the Threat Prevention Network -> DarkLayer Guard™ Network dashboard area and in enriching the information provided in both the DarkLayer Guard™ Endpoint, as well as DarkLayer Guard™ Network Investigate views.
In the Investigate View fresh data related to the most encountered processes accessing the queried domain and Domains/ URLs related to the queried domain’s IP was added. In both cases, TOP 3 info will be displayed.
The most encountered processes accessing the queried domain will be showcased from two perspectives:
- Your Matches TPE: the number of times, in the selected time frame, the domain has been intercepted via Threat Prevention Endpoint in the customer’s environment
- Global Matches TPE: the number of times, in the selected time frame, the domain has been intercepted via Threat Prevention Endpoint in all the Heimdal customers’ environments.
The top domains/ URLs related to the queried domain’s IP will be also presented in two dimensions:
- Your Matches TPE + TPN: the number of times, in the selected time frame, the related domain has been intercepted via both Threat Prevention Network and Threat Prevention Endpoint in the customer’s environment
- Global Matches TPE + TPN: the number of times, in the selected time frame, the domain has been intercepted via both Threat Prevention Network and Threat Prevention Endpoint in all the Heimdal customers’ environments
- VectorN Detection™ alerts “Hide” button
In the Threat Prevention -> VectorN Detection™ module, Standard & Client Specifics views, we have implemented the option to temporarily dismiss (for 30 days) a VectorN Detection™ alert. This option is useful in case of any considered false positives and in the context in which, you’d want to be able to elevate through Privileged Access Management, when having the module on and the “De-elevate and block elevation for users with risk or infections” check box enabled.
When selecting an endpoint or multiple endpoints with detections and using the “Select what action to take” drop-down list, the user will discover a new option, “Hide”, allowing to dismiss the alert for 30 days. Also, there is a “Show hidden detections” filter, which if enabled, will also display, singling them out (vertical blue bar, next to the checkbox pertaining to the hostname), the hidden alerts.
In the Heimdal™ agent pop–up message that an end-user gets when trying to request PAM elevations, in the scenario in which there is an active VectorN Detection™ and the “De-elevate and block elevation for users with risk or infections” Endpoint Settings -> Privileges & App Control -> Privileged Access Management tick box is enabled, the following text will be displayed:
“VectorN has detected malware in your system. Contact your IT administrator to dismiss the detection and/ or click here for more info.”
Heimdal™ Endpoint Detection, Next Gen Antivirus & MDM:
- Next-Gen AV Exclusions List enhancement
In the Endpoint Settings -> Endpoint Detection -> Next-Gen Antivirus tab, Next-Gen AV Exclusion List area you can now add up to 10 exclusions/ page and are also able to export the list into a .csv format file, containing the File Name/ Path, Type, and Priority information. Another small improvement consists of not allowing duplicate entries in the Exclusions List.
Heimdal™ Privileges & App. Control, Application Control:
- Show logs in a different view (raw data)
In the Dashboard -> Privileges & App Control -> Application Control tab we added another view called “Raw data” (the view is also available in the Management -> Active Clients section of the Heimdal™ dashboard). The view displays all the intercepted processes, in the selected timeframe, without aggregating the data.
Given the large amount of data stored, we highly recommend selecting smaller time frames (minutes or maximum hours), to avoid timeout exceptions. The view displays a maximum of 10.000 intercepted applications. We’ve also enhanced all the App Control views, enabling the Dashboard user to sort the data based on the “Status” and to view and sort by the “Timestamp” (when the interception took place).
Other improvements & fixes:
- Patch & Asset management API optimization
We conducted further enhancements to the 3rd party software Corporate Customers API, in the sense that we added a new status parameter named “latest” which, if specified in the API call, will show only the latest updates statuses for patched applications (e.g.: https://dashboard.heimdalsecurity.com/api/heimdalapi/thirdparty?customerId=195670&status=latest). We’ve also added the “release date” info, mentioning the date when the patch was added to the system.
- Detect “user context” apps. & display them in the 3rd Party Software, Assets view
An enhancement was carried to the Patch & Asset Management -> 3rd Party Software -> Assets view and now, applications installed under a user context are discoverable and are shown in this view.
- Excel download option of Endpoint Settings (GPs and settings)
A “Download” button was created in the Endpoint Settings GP management view (all 3 tabs: Windows GP, MacOS GP, and Android GP), which, if pressed on, will provide an excel option that will export the Group Policies and their settings. The downloaded data contains all the fields values from settings (scheduler, text values, check box, etc.) except for collections’ lists (Next-Gen AV Exclusions list, Domains Blacklist/ Whitelist values, etc.).
- Addition of the Azure AD groups column to Endpoint Settings, Windows GP management view
An “Azure AD groups” column was added to the Endpoint Settings -> Windows GP tab, Windows GPs management view/ table. This will specify is one or more AAD groups are associated with a specific GP. In case there are more AAD groups linked to a Group Policy there is an option to expand the view and visualize all the information.
- Addition of the Next-Gen Antivirus functionality issues to the Corporate Customers and Partner reports
Next-Gen AV functionality issues information has been added to the Heimdal™ Endpoint Detection - Next-Gen AV report (Accounts section of the dashboard), letting the customers and partners know if there are any malfunctions encountered in the Antivirus product (e.g.: Virus Definitions not updated, clashes with another AV product, etc.). A dedicated section providing hostname, Error details, and timestamp info was included in the Most Affected Endpoints part of the existing report.
- Access Control List claim for Remote Desktop Supporters’ management
A new Claim Category (“Remote Desktop connection”) and Claim Type (“Remote desktop connect full access”) were added in the Accounts -> Access Control tab of the dashboard, to allow the granular control over Remote Desktop connection options awarded to Supporters (either to specific GPs or to all the GPs).
There are for possible scenarios, described below:
- Scenario 1: “Specific access device settings Windows area” is enabled, but “Remote desktop connect full access” is disabled => the supporter can connect only to end-user computers which are included in the GPs specified under “Specific access device settings windows”
- Scenario 2: “Full access device settings windows” is enabled => the supporter can connect to any endpoint, regardless of whether the “Remote desktop connect full access” is awarded or not
- Scenario 3: “Remote desktop connect full access” is enabled => the supporter can connect to any endpoint, regardless of the GP to which the endpoint is assigned
- Scenario 4: “Full access device settings windows”, “Specific access device settings windows” and “Remote desktop connect full access” are disabled => the Supporter is not able to connect to any endpoint
- Fix related to the ability to revoke existing local admin. rights
We’ve implemented a fix for a scenario in which the Revoke existing local admin rights functionality (Endpoint Settings -> Privileges & App. Control -> Privileged Access Management) did not work properly for Azure AD joined computers where the logged-in user was a Global Administrator.
If you need help with anything, don’t hesitate to contact corpsupport@heimdalsecurity.com.